SOC2 Audit
The CNRG DERMs offering is independently audited annually on all 5 areas of trust as defined in the SOC 2 standards.
These areas include:
Trust Services Criteria 1: Security
Security is the first and arguably the most critical of the Five Trust Services Criteria. It focuses on protecting information and systems against unauthorized access, disclosure, and damage. In an era where cyber threats are constantly evolving, maintaining robust security measures is essential for any business handling sensitive data.
Key Aspects of Security
Access Controls: Implementing strict access controls ensures that only authorized personnel can access sensitive information. This includes measures like multi-factor authentication (MFA), strong password policies, and regular access reviews.
Encryption: Encrypting data both in transit and at rest protects it from being intercepted or accessed by unauthorized parties.
Monitoring and Logging: Continuous monitoring and logging of system activities help detect and respond to security incidents promptly. This includes using security information and event management (SIEM) tools.
Firewalls and Intrusion Detection Systems (IDS): Deploying firewalls and IDS to prevent unauthorized access and detect suspicious activities.
Trust Services Criteria 2: Availability
The Availability criterion focuses on ensuring that systems and services are available for operation and use as committed or agreed upon. Downtime can significantly impact a business’s reputation and bottom line, making it vital to maintain high availability of systems.
Key Aspects of Availability
Disaster Recovery Plans: Developing and regularly testing disaster recovery plans to ensure quick recovery from outages or disruptions.
Redundancy: Implementing redundant systems and failover mechanisms to minimize downtime in case of hardware or software failures.
Capacity Planning: Regularly assessing and planning for system capacity to handle peak loads and future growth.
Maintenance Procedures: Establishing maintenance procedures and schedules to prevent unplanned downtime due to system failures or updates.
Trust Services Criteria 3: Processing Integrity
Processing Integrity ensures that systems process data accurately, completely, and in a timely manner. This criterion is crucial for businesses that rely on data processing to deliver services or make decisions.
Key Aspects of Processing Integrity
Data Validation: Implementing data validation checks to ensure that input data is accurate and complete before processing.
Error Handling: Establishing procedures for detecting and correcting errors during data processing.
Audit Trails: Maintaining detailed audit trails to track data processing activities and identify any discrepancies.
System Testing: Regularly testing systems to ensure they perform as expected and produce accurate results.
Trust Services Criteria 4: Confidentiality
Confidentiality involves protecting sensitive information from unauthorized access and ensuring that it is only disclosed to authorized parties. This criterion is particularly important for businesses handling proprietary information, intellectual property, or customer data.
Key Aspects of Confidentiality
Access Controls: Restricting access to confidential information to authorized personnel only.
Encryption: Using strong encryption methods to protect confidential data during storage and transmission.
Data Masking: Masking sensitive data to prevent unauthorized access while allowing it to be used for testing or analysis.
Confidentiality Agreements: Ensuring that employees, contractors, and third parties sign confidentiality agreements to protect sensitive information.
Trust Services Criteria 5: Privacy
The Privacy criterion focuses on protecting personal information and ensuring that it is collected, used, retained, and disclosed in accordance with the organization’s privacy policy and relevant regulations. With increasing concerns about data privacy, this criterion has become more critical than ever.
Key Aspects of Privacy
Privacy Policies: Developing and publicly disclosing a privacy policy that outlines how personal information is collected, used, and protected.
Data Subject Rights: Implementing processes to address data subject rights, such as access, correction, and deletion requests.
Data Minimization: Collecting only the necessary personal information and retaining it only for as long as needed.
Third-Party Management: Ensuring that third parties handling personal information adhere to the organization’s privacy policy and relevant regulations.
